Serial Killer Silently Pwning Your Java Endpoints
OWASPBNL_Java_Deserialization
OWASPBNL_Java_Deserialization
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Example (has been fixed)<br />
org.apache.commons.scxml2.env.groovy.GroovyContext<br />
1 @SuppressWarnings("unchecked")<br />
2 private void readObject(ObjectInputStream in) throws IOException,ClassNotFoundException {<br />
3 this.scriptBaseClass = (String)in.readObject();<br />
4 this.evaluator = (GroovyEvaluator)in.readObject();<br />
5 this.binding = (GroovyContextBinding)in.readObject();<br />
6 byte[] bytes = (byte[])in.readObject();<br />
7 if (evaluator != null) {<br />
8 this.vars = (Map)<br />
9 new ObjectInputStream(new ByteArrayInputStream(bytes)) {<br />
10 protected Class resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {<br />
11 return Class.forName(osc.getName(), true, evaluator.getGroovyClassLoader());<br />
12 }<br />
13 }.readObject();<br />
14 }<br />
15 else {<br />
16 this.vars = (Map)new ObjectInputStream(new ByteArrayInputStream(bytes)).readObject();<br />
17 }<br />
18 }<br />
24
Change language